Malware Research Institute
2015-07-26T00:06:16+02:00
http://blog.malwareresearch.institute
Malware Research Institute
Complex Incident Response Investigations: How to Minimise Breach Impact
2015-07-25T00:00:00+02:00
http://blog.malwareresearch.institute/video/2015/07/25/complex-incident-response-investigations-how-to-minimise-breach-impact
<p>How prepared are you for a data breach? </p>
<p>With the threat environment growing more complex, and the rise in advanced and targeted attacks, how does your response plan hold up? Threat actors have changed their tactics; so must you.</p>
<p>During this webcast, Rafe Pilling, Senior Security Researcher for Dell SecureWorrks Counter Threat Unit (CTU), will share advice based on real-world examples to help ensure your organisation is infinitely better prepared to respond to a security breach. </p>
<p>Key topics covered include:</p>
<ul>
<li>A view of the evolving threat landscape and how this could impact you</li>
<li>Examples of critical mistakes Dell SecureWorks has viewed in real-world cases</li>
<li>Developing a robust incident response plan</li>
<li>Maximising the value of current controls and improving your overall security posture</li>
</ul>
<script type="text/javascript" src="https://www.brighttalk.com/clients/js/embed/embed.js"></script>
<object class="BrightTALKEmbed" width="705" height="660"><param name="player" value="channel_player" /><param name="domain" value="http://www.brighttalk.com" /><param name="channelid" value="5416" /><param name="communicationid" value="160453" /><param name="autoStart" value="false" /><param name="theme" value="" /></object>
Reverse Engineering Mac Malware
2015-04-03T00:00:00+02:00
http://blog.malwareresearch.institute/video/2015/04/03/reverse-engineering-mac-malware
<p>Dynamic malware reverse engineering helps forensic analysts and reverse engineers gather quick data points such as callout domains, file download URLs or IP addresses, and dropped or modified files. These methods have long been used on Windows malware…so why not Mac malware? This presentation introduces the audience to methods, tools, and resources to assist reversing Mac binaries with a Mac. Topics include Mach-O file format, virtualization, analysis VM setup, and various analysis tools (native and 3rd-party). This presentation is intended for those familiar with dynamic analysis (with a touch of static thrown in) or for those reverse engineering masters of the Windows executable to get an introductory idea of how to start analyzing Mac malware.</p>
<p>The webcast can be viewed at <a href="https://www.sans.org/webcasts/reverse-engineering-mac-malware-99792">https://www.sans.org/webcasts/reverse-engineering-mac-malware-99792</a>.</p>
APTs: Getting Serious About Zero-Day Threats
2015-04-02T00:00:00+02:00
http://blog.malwareresearch.institute/video/2015/04/02/apts-getting-serious-about-zero-day-threats
<p>Cyber security remains the #1 priority for IT security executives and practitioners in 2012 for good reason. With cyber-attacks on federal government systems and civilian networks increasing at an alarming rate, the threat posed is only heightened by vulnerabilities in networks that support critical operations and infrastructure. In fact, on a weekly basis, over 95% of organizations have at least 10 malicious infections bypass existing security to penetrate their networks. </p>
<p>In a recent congressional hearing, a former FBI cyber security specialist stated: “I believe most major companies have already been breached or will be breached, resulting in substantial losses in information, economic competitiveness and national security. Many are breached and have absolutely no knowledge that an adversary was or remains resident on their network, often times for weeks, months or even years.” </p>
<p>Organizations need real time, dynamic protection from today’s most dangerous threats designed to bypass traditional security defenses. Attend this webcast to learn:</p>
<ul>
<li>The new techniques and tactics that make these next-generation attacks successful in the absence of a true defense-in-depth security architecture</li>
<li>Why conventional security defenses are no match for today’s sophisticated and coordinated attacks</li>
<li>How to detect and stop Web and email-based attacks that exploit zero-day vulnerabilities—when they first appear on your network</li>
<li>Key criteria when investigating next-generation threat protection</li>
</ul>
<script type="text/javascript" src="https://www.brighttalk.com/clients/js/embed/embed.js"></script>
<object class="BrightTALKEmbed" width="705" height="660"><param name="player" value="channel_player" /><param name="domain" value="http://www.brighttalk.com" /><param name="channelid" value="7451" /><param name="communicationid" value="51957" /><param name="autoStart" value="false" /><param name="theme" value="" /></object>
Extracting Actionable Cyber Intelligence from a RAT Named Poison Ivy
2015-03-31T00:00:00+02:00
http://blog.malwareresearch.institute/video/2015/03/31/extracting-actionable-cyber-intelligence-from-a-rat-named-poison-ivy
<p>Poison Ivy is older than the iPhone, Windows Vista, the Nintendo Wii, and Twitter, yet it remains one of the most popular Remote Access Trojans (RATs) in use today.</p>
<p>RATs like Poison Ivy make it possible for intruders to do virtually anything on a targeted computer, making it the perfect launchpad for sophisticated APT campaigns. But now there is a way to use data from the RAT to extract intelligence from networks compromised by Poison Ivy.</p>
<p>Join the FireEye Labs research team for a live briefing on a new FireEye research report and tool package that will enable security professionals to dissect attacks initiated by Poison Ivy.</p>
<p>Key topics include:</p>
<ul>
<li>How a typical Poison Ivy attack works, including insight into three ongoing cyber attack campaigns using Poison Ivy</li>
<li>How to use a new FireEye Calamine tool package that will enable you to decrypt Poison Ivy network traffic</li>
<li>How you can use this cyber intelligence to link Poison Ivy-driven activities to broader APT campaigns</li>
</ul>
<p>Join this live webcast, and learn how you can arm yourself with the cyber intelligence you need in order to effectively respond to APT campaigns leveraging Poison Ivy.</p>
<script type="text/javascript" src="https://www.brighttalk.com/clients/js/embed/embed.js"></script>
<object class="BrightTALKEmbed" width="705" height="660"><param name="player" value="channel_player" /><param name="domain" value="http://www.brighttalk.com" /><param name="channelid" value="7451" /><param name="communicationid" value="84437" /><param name="autoStart" value="false" /><param name="theme" value="" /></object>
Illbuster - fighting illegal content
2015-03-30T00:00:00+02:00
http://blog.malwareresearch.institute/video/2015/03/30/illbuster-fighting-illegal-content
<p>The talk was presented on October 23, 2014 at SECURE 2014 - an IT security conference organized by NASK and CERT Polska in Warsaw, Poland.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/CvHrb0ooNj0?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Deploying ICS Honeypots to Deceive and Thwart Adversaries
2015-03-29T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/29/deploying-ics-honeypots-to-deceive-and-thwart-adversaries
<p>The talk was presented on October 23, 2014 at SECURE 2014 - an IT security conference organized by NASK and CERT Polska in Warsaw, Poland.</p>
<p>About author: Lukas Rist is a software engineer with Blue Coat Norway where he develops behavioral malware analysis systems. In his spare time, he creates web application and ICS/SCADA honeypots and botnet monitoring tools under the umbrella of the Honeynet Project. He recently developed an interest in industrial security and automated SQL statement classification.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/43IMRroL1tA?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
A Threat-Based Security Monitoring Case Study
2015-03-28T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/28/a-threat-based-security-monitoring-case-study
<p>The talk was presented on October 23, 2014 at SECURE 2014 - an IT security conference organized by NASK and CERT Polska in Warsaw, Poland.</p>
<p>About author: Matthew Valites is a senior investigator and site lead on Cisco’s Computer Security Incident Response Team (CSIRT). He provides expertise building an Incident Response and monitoring program for cloud and hosted service enterprises, with a focus on targeted and high-value assets. A hobbyist Breaker and Maker for as long as he can recall, his current professional responsibilities include security investigations, mining security-centric alerts from large data sets, operationalizing CSIRT’s detection logic, and mobile device hacking. Matt is keen to share CSIRT’s knowledge, best practices, and lessons-learned.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/Pbjxq0iLuE0?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Cuckoo Sandbox and its recent developments
2015-03-27T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/27/cuckoo-sandbox-and-its-recent-developments
<p>The talk was presented on October 23, 2014 at SECURE 2014 - an IT security conference organized by NASK and CERT Polska in Warsaw, Poland.</p>
<p>About author: Jurriaan is a freelance security researcher and software developer from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. Jurriaan is a Core Developer of Cuckoo Sandbox, a member of The Honeynet Project, and occasionally plays Capture The Flag games as a member of Eindbazen CTF Team.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/EAKvuToUw2s?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
YARA: The pattern matching swiss knife for malware researchers and everyone else
2015-03-26T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/26/yara-the-pattern-matching-swiss-knife-dot-dot-dot
<p>The talk “YARA: The pattern matching swiss knife for malware researchers and everyone else” was presented on October 23, 2014 at SECURE 2014 - an IT security conference organized by NASK and CERT Polska in Warsaw, Poland.</p>
<p>About author: Victor M. Alvarez is a Software Engineer at VirusTotal and the author of YARA. He has been working in the computer security industry for more than 10 years, initially as a Malware Researcher and more lately developing tools to help fighting malware. Nowadays he is committed to maintaining and developing VirusTotal’s core services.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/TTLuy0gx5vE?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Visual Malware Reversing: How to Stop Reading Assembly and Love the Code
2015-03-25T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/25/visual-malware-reversing-how-to-stop-reading-assembly-and-love-the-code
<p>Reverse engineering is a complicated process that has a lot of room for improvement. This talk will showcase some improvements to our visualization framework, VERA. New features that decrease the overall time to reverse a program will be shown. New items are a debugger based interface which allows for faster analysis without the need for a hypervisor, integrated trace processing tools, IDA Pro integration, and an API to interface with the display. During the talk I will reverse engineer malware samples, and show how to integrate it into your reversing process.</p>
<div class="embed video YouTube"><iframe width="459" height="344" src="https://www.youtube.com/embed/9nlWbDdxKjw?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
You can panic now. Host Protection is (mostly) dead
2015-03-24T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/24/you-can-panic-now-host-protection-is-mostly-dead
<p>Is host-based detection dead? No one has been able to see the APT circumvent common defenses because victims rarely share specific attack details. Until now. A real world APT Attack results in surprising findings in how effective sophisticated host based defenses are ineffective. Starting from an initial attack through data ex-filtration, this presentation will cover many of the tactics and techniques used by attackers to bypass many of the host based controls used in many organisations today.</p>
<div class="embed video YouTube"><iframe width="459" height="344" src="https://www.youtube.com/embed/UNmy2lX02dA?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
10 Ways to Rock Your SOC
2015-03-23T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/23/10-ways-to-rock-your-soc
<p>Security operations analysts are frequently classed as “generalists.” The scope of their job description is split into a broad range including incident response, risk assessments, vulnerability
management, awareness training, security tool selection,
deployment and management, and general troubleshooting.
The ability to keep track of and prioritize each day’s tasks is a challenge, to say the least, and teams are often are asked to “do more with less.” This session will highlight 10 ideas my small team has used to help us make more sense of our days, maximize our success and sanity, and improve our interactions with other IT groups in the organization.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/XoTWA_0Bnjo?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Reconciling Objective Data with Analytical Uncertainty
2015-03-22T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/22/reconciling-objective-data-with-analytical-uncertainty
<p>This talk will focus on the different sources of analytical uncertainty in traditional and cyber intelligence, where to draw lines between known data and assessed conclusions, and discuss how similar methods can be used to address analytical uncertainty within both traditional and cyber intelligence analysis. Examples will be pulled from current geopolitical events and cyber security blog posts and whitepapers.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/U9zOe57FYlc?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
DFIR Summit 2014 Keynote: Barbarians at Every Gate: Responding to a Determined Adversary
2015-03-21T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/21/dfir-summit-2014-keynote-barbarians-at-every-gate-responding-to-a-determined-adversary
<p>In the last six months, Mandiant has helped an organization repel targeted attackers that utilized an increasingly sophisticated set of tactics to re-compromise their environment. These tactics included:</p>
<ul>
<li>Leveraging interfaces from third-party networks</li>
<li>Use of the heartbleed exploit to bypass VPN authentication</li>
<li>Phishing attacks using a zero-day exploit in IE</li>
</ul>
<p>This presentation will focus on how Mandiant kept pace with a determined adversary, followed the breadcrumb trails from new attack vectors, and helped the client repel and remediate these attacks.</p>
Introduction to Windows Memory Analysis
2015-03-20T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/20/introduction-to-windows-memory-analysis
<p>Memory forensics has come a long way in just a few years. It can be extraordinarily effective at finding evidence of worms, rootkits, and advanced malware. While traditionally the sole domain of Windows internals experts, recent tools now make memory analysis feasible for anyone. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. This talk will introduce some of the newest free tools available and give you a head start in adding this valuable skill to your security toolkit.</p>
<div class="embed video YouTube"><iframe width="459" height="344" src="https://www.youtube.com/embed/SjDH_vTuefM?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Brian Baskin - Introducing Intelligence into Malware Analysis
2015-03-19T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/19/brian-baskin-introducing-intelligence-into-malware-analysis
<p>Malware analysis is the current en vogue topic for computer security companies and careers. However, many are still approaching malware the same way their forefathers did a decade ago. Malware analysis without intelligence leads to slower responses, duplication of effort, and disparate results for each incident. These issues are mitigated by taking a systematic, layered approach to analysis that can then be applied to your organization’s overall security posture through Free Open Source Software.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/VMScauiNsQQ?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Malware Hunting with Mark Russinovich and the Sysinternals Tools
2015-03-18T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/18/malware-hunting-with-mark-russinovich-and-the-sysinternals-tools
<p>Mark provides an overview of several Sysinternals tools, including Process Monitor, Process Explorer, and Autoruns, focusing on the features useful for malware analysis and removal. These utilities enable deep inspection and control of processes, file system and registry activity, and autostart execution points. He demonstrates their malware-hunting capabilities by presenting several current, real-world malware samples and using the tools to identify and clean malware.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/80vfTA9LrBM?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Malware Hunting with the Sysinternals Tools
2015-03-17T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/17/malware-hunting-with-the-sysinternals-tools
<p>This session provides an overview of several Sysinternals tools, including Process Monitor, Process Explorer, and Autoruns, focusing on the features useful for malware analysis and removal. These utilities enable deep inspection and control of processes, file system and registry activity, and autostart execution points. Mark Russinovich demonstrates their malware-hunting capabilities by presenting several real-world cases that used the tools to identify and clean malware, and concludes by performing a live analysis of a Stuxnet infection’s system impact.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/Wuy_Pm3KaV8?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Reverse Engineering By Crayon
2015-03-16T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/16/reverse-engineering-by-crayon
<p>Recent advances in hypervisor based application profilers have changed the game of reverse engineering. These powerful tools have made it orders of magnitude easier to reverse engineer and enabled the next generation of analysis techniques. We will also present and release our tool VERA, which is an advanced code visualization and profiling tool that integrates with the Ether Xen extensions. VERA allows for high-level program monitoring, as well as low-level code analysis. Using VERA, we’ll show how easy the process of unpacking armored code is, as well as identifying relevant and interesting portions of executables. VERA integrates with IDA Pro easily and helps you to annotate the executable before looking at a single assembly instruction. Initial testing with inexperienced reversers has shown that this tool provides an order of magnitude speedup compared to traditional techniques.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/dZzX-709Ogg?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Cuckoo Sandbox - malware beware [SIGINT13]
2015-03-15T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/15/cuckoo-sandbox-malware-beware-sigint13
<p>Cuckoo Sandbox is a widely used open-source project for automated dynamic malware analysis. It takes malicious documents or URLs as input and provides both high-level overview reports as well as detailed API call traces of the activities observed inside a virtual machine. The project was founded by Claudio Guarnieri and is mainly developed by four developers in their free time and during weekends.</p>
<p>Cuckoo Sandbox distinguishes from other solutions thanks to its modular design and flexible customization features. Because of this unique emphasis several large IT corporations and security companies run Cuckoo Sandbox to analyze malware samples on a daily basis and it’s often placed alongside with traditional perimeter security products as an added weapon to incident response and security teams’ arsenals. Being open-source, it also empowers independent and academic security researchers to use a full-fledged malware analysis sandbox freely.</p>
<p>For the latest available version we saw more than 8000 downloads and a few hundred constantly running deployments with enabled update-checks. This community also contributes to the project in various forms such as setup instructions, code contributions, behavioral signatures, feature requests and usability feedback and is actively engaged in conversations over mailing lists and IRC.</p>
<div class="embed video YouTube"><iframe width="459" height="344" src="https://www.youtube.com/embed/720Vh3FaGN8?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Cuckoo Sandbox - Automated Malware Analysis
2015-03-14T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/14/cuckoo-sandbox-automated-malware-analysis
<p>Cuckoo Sandbox is an open source automated malware analysis system. It started as a Google Summer of Code 2010 project with The Honeynet Project and evolved into being one of the most appreciated and popular open source sandbox solutions.</p>
<p>It’s goal is to provide a way to automatically analyze files and collect comprehensive results describing and outlining what such files do while executed inside an isolated environment. It’s mostly used to analyze Windows executables, DLL files, PDF documents, Office documents, PHP scripts, Python scripts, Internet URLs and almost anything else you can imagine. In this presentation we’ll discuss about open source sandboxing, we’ll dive into the design and development of Cuckoo and we’ll kick off from regular usage and move into more juicy experiments, playing with APTs, exploits and banking trojans of every flavor.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/uq8a7watLNU?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Memory Forensics for Incident Response - SANS DFIR WEBCAST
2015-03-13T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/13/memory-forensics-for-incident-response-sans-dfir-webcast
<p>Modern malware has become extremely adept at avoiding detection by traditional endpoint analysis tools. Memory Forensics gives the investigator multiple solutions for detecting typical malware techniques such as code injection, API hooking, and process hiding. This talk is an overview of Memory Forensics including how to acquire memory images and tools and techniques for analyzing them.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/3xAEsDT-4NA?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Analysis and Correlation of Macintosh Logs - SANS DFIR WEBCASTS
2015-03-12T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/12/analysis-and-correlation-of-macintosh-logs-sans-dfir-webcasts
<p>When was this user logged on the system? Where was this system on a given date? What devices were used on the system? How often was the system used? Is the system compromised? - These questions may be answered by viewing the logs provided by Mac OS X. This presentation will cover the variety of logs, tools to read them, and analysis of additional file system files to provide a clear picture of events. User, network, or software activities can provide a timeline that can be used to uncover the clandestine activity on the system - whether or not it was meant to be secret.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/KvwQNtranaY?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Malware Immunization via Infection Markers
2015-03-11T00:00:00+01:00
http://blog.malwareresearch.institute/article/2015/03/11/malware-immunization-via-infection-markers
<p>Lenny Zeltser just posted an interesting article about protecting production systems by implanting markers that malware mistakes for either being a malware analysis environment or that the malware is already infected with the malware so the malware doesn’t infect it again. </p>
<p>The article is using <a href="https://github.com/adamkramer/rapid_env">rapid_env</a>, a tool written in C++ that creates registry entries, files and mutexes by using a configuration file - meaning that your IOC can be used to fake an infection (do remember to take note that the system has been “immunized” so you won’t go on a wild goose chase looking for infected machines). </p>
<p>Read the full article over at <a href="https://zeltser.com/malware-immunization-infection-markers/">https://zeltser.com/malware-immunization-infection-markers/</a></p>
How memory forensics will help you lose weight and look ten years younger - SANS DFIR WEBCAST
2015-03-11T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/11/how-memory-forensics-will-help-you-lose-weight-and-look-ten-years-younger-sans-dfir-webcast
<p>Ok, so maybe not quite those things, but memory forensics can help your investigation in ways which no other technique can match. Memory images contain user data which is unavailable from other sources, such as encryption keys and full-content network traffic. Previously existing memory images on your system may give you these kinds of details from an earlier time in the computer’s history. Those of you looking for malware will be pleased to know that programs and drivers simply cannot hide in memory. We will suss them out no matter where there go. All of this adds up to faster and better results in your cases, leaving you with time to lose weight and look younger naturally!</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/FnDwSzavzLk?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Knock off Phone Forensics Some handsets Arent What They Appear To Be - SANS DFIR WEBCAST
2015-03-10T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/10/knock-off-phone-forensics-some-handsets-arent-what-they-appear-to-be-sans-dfir-webcast
<p>Mobile devices are not always what they appear to be. Knock-off handsets are prevalent in Asia, Europe and are infiltrating the borders of the United States. Commercial forensic tools do not provide the same amount of support for knock-off devices as they do for GSM and CDMA handsets. Specialized forensic tools and add-on options to commercial kits are available, however not all of the data is parsed for the investigator. This talk will lead an exploration of the different methods for acquiring and analyzing knock-off handsets, to include a live acquisition demonstration. A detailed overview of the files contained within a physical dump of a knock-off device will be provided. Examples will be provided to demonstrate proper parsing methods and data interpretation of the knock-off device files.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/aVqFdt8j8Bk?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Network Forensics What Are Your Investigations Missing - SANS DFIR WEBCAST
2015-03-09T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/09/network-forensics-what-are-your-investigations-missing-sans-dfir-webcast
<p>Traditionally, computer forensic investigations focused exclusively on data from the seized media associated with a system of interest.
Recently, memory analysis has become an integral part of forensic analysis, resulting in a new and significantly different way for digital examiners and investigators to perform their craft.</p>
<p>Now another evolution in computer forensics is at hand - one that includes data collected from network devices as well as the from wires themselves. Every day, more and more network-enabled products hit the market. Incorporating network data from those devices during the analytic process is critical for providing a complete understanding of the event under investigation. Even in traditional data-at-rest examinations, the network may hold the only clues left behind by a diligent attacker that has covered his or her tracks.</p>
<p>We’ll discuss how network-based evidence can support traditional data-at-rest computer forensic analysis. Other topics will include the sources and methodologies for collecting network evidence. By knowing what existing data to ask for and what additional data to collect during an investigation, we can provide a more comprehensive analysis of the event at hand.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/cVbil4y702o?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
How Malware Generates Mutex Names to Evade Detection
2015-03-09T00:00:00+01:00
http://blog.malwareresearch.institute/article/2015/03/09/how-malware-generates-mutex-names-to-evade-detection
<p>Lenny Zeltser talks about TreasureHunter (md5: 070e9a317ee53ac3814eb86bc7d5bf49), that uses the Windows <a href="https://support.microsoft.com/gp/selectpid?wa=wsignin1.0">Product ID</a> to generate the mutex used to verify if the host has already been infected or not. Why is this a problem? Well, each infection generates a different mutex for your Indicators Of Compromise (IOC).</p>
<p>Do read the whole story over at the ISC Diary <a href="https://isc.sans.edu/forums/diary/How+Malware+Generates+Mutex+Names+to+Evade+Detection/19429/">How Malware Generates Mutex Names to Evade Detection</a>.</p>
Protecting Privileged Domain Accounts during Live Response - SANS DFIR WEBCAST
2015-03-08T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/08/protecting-privileged-domain-accounts-during-live-response-sans-dfir-webcast
<p>It is amazing the amount of responders who accidentally gave the adversaries they are investigating their domain credentials accidentally by simply logging in to the system to perform IR or using a simple tool such as psexec from sysinternals. Tomorrow Mike Pilkington is giving a talk on the proper way to interact with remote systems you are investigating to prevent accidental help to the groups we are investigating during IR. This topic is one that I realized I had been bitten by the bug of doing it the “wrong way”. Windows is incredibly complex and the understanding of this series will make it easier for you not to “make the problem worse” by performing IR.</p>
<p>From Mike - “Have you ever made a connection to a potentially compromised remote machine using a privileged domain account and wondered if there was any chance that your privileged credentials could be revealed in some way to the attacker? I have. After wondering and worrying about it, the curiosity (and paranoia) finally got to me and so I set off on a journey to research attacks against domain credentials, and in particular, their implication for incident responders. I’ve presented on this topic a few times and now I will (finally) take the time to document my findings. This is the first article in what will be a multi-part series on this research. I find this to be a fascinating topic and one which should be of interest to the entire IR community. That said, be forewarned that these articles will not be quick reads. If you’ll stick with me though, I believe it will be worth your time because you should walk away knowing exactly what you can and cannot do safely with your privileged domain accounts.”</p>
<p>BLOG SERIES</p>
<ul>
<li>Part 1 - <a href="http://computer-forensics.sans.org/blog/2012/02/21/protecting-privileged-domain-account-safeguarding-password-hashes">Protecting Privileged Domain Accounts: Safeguarding Password Hashes</a></li>
<li>Part 2 - <a href="http://computer-forensics.sans.org/blog/2012/02/29/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly">Protecting Privileged Domain Accounts: LM Hashes – The Good, the Bad, and the Ugly</a></li>
<li>Part 3 - <a href="http://computer-forensics.sans.org/blog/2012/03/09/protecting-privileged-domain-accounts-disabling-encrypted-passwords">Protecting Privileged Domain Accounts: Disabling Encrypted Passwords</a></li>
<li>Part 4 - <a href="http://computer-forensics.sans.org/blog/2012/03/21/protecting-privileged-domain-accounts-access-tokens">Protecting Privileged Domain Accounts: Safeguarding Access Tokens</a></li>
</ul>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/2u4XlN52GIw?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Detecting Persistence Mechanisms - SANS DFIR WEBCAST
2015-03-07T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/07/detecting-persistence-mechanisms-sans-dfir-webcast
<p>Persistence mechanisms are techniques used by malware to increase survivability on compromised host systems. For an incident responder, the identification of specific artifacts created by such techniques can provide excellent insight into the function of the malicious code. In fact, these host-based artifacts aid in unraveling the adversary’s methodologies and the subsequent identification of other compromised systems on the network. This presentation will cover both common persistence mechanisms such as modified registry keys, Windows service persistence and other methods seen in past campaigns as well as newer techniques from malware hitting today’s enterprises. Also during this hour, several tools useful in isolating and identifying persistence indicators will be introduced. This session covers key skills needed on effective security teams and is a “must attend” webcast for those working in the IR profession.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/ebPKUWqAk7U?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Leveraging Cyber Threat Intelligence
2015-03-06T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/06/leveraging-cyber-threat-intelligence
<p>In perhaps the greatest film ever made, Arnold Schwarzenegger’s elite team of Special Forces operators is pitted against an alien adversary who outmatches them in nearly every encounter. Hopelessly outmatched, Dutch must change his tactics to ultimately defeat the Predator. Enterprises are at a similar point; one look at the headlines makes this painfully clear. Cyber Threat Intelligence (CTI) has emerged as a new capability that enterprises can leverage to become proactive in protecting their environments. In this webcast, Senior Forrester Analyst Rick Holland discusses:</p>
<ul>
<li>The definition of CTI</li>
<li>Why you might not be ready for CTI</li>
<li>Building versus buying CTI capabilities</li>
<li>The vendor landscape for CTI</li>
<li>Intelligence sharing and operational security</li>
</ul>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/y9NeNl7SCTQ?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
50 Shades of Hidden - Diving deep into code injection - SANS DFIR WEBCAST
2015-03-05T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/05/50-shades-of-hidden-diving-deep-into-code-injection-sans-dfir-webcast
<p>The technological prowess of attackers has increased dramatically over the last several years. Gone are the days when you could hope to discover malware.exe running in the process list. Attackers are migrating to code injection as a method to remain hidden from prying eyes examining process list entries.</p>
<p>Sure, we’ve all heard the term code injection or DLL injection, but what does it really mean? How does it really work? Hint: it isn’t magic. However, many explanations are bereft, with hand waving and pressing the “I believe” button. In this webcast, we’ll talk about how code injection really works at a more technical level. We’ll take a quick look at some malware that’s performing code injection and discuss detection strategies for when your antivirus fails to detect it. Code injection is a huge topic and we can’t cover every aspect in an hour, but the goal is for you to walk away understanding the basics of what’s happening under the hood so you can speak intelligently to the topic.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/yOq6FCteFvU?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Detecting Evil on Windows Systems - An In Depth Look at the DFIR Poster
2015-03-04T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/04/detecting-evil-on-windows-systems-an-in-depth-look-at-the-dfir-poster
<p>In an intrusion case, spotting the difference between abnormal and normal is often the difference between success and failure. Your mission is to quickly identify suspicious artifacts in order to verify potential intrusions. This year, SANS released a brand new poster and cheat sheet aimed at forensic and SOC analysts, system administrators, and security engineers to help identify evil on Windows.</p>
<p>This webcast will step through the information found on the new DFIR poster and discuss why we felt it was important to include that information to help identify adversaries inside your Windows enterprise. We will demonstrate how to use the information in the poster to identify good from bad. This poster release has been one of the most requested cheat sheets and posters we have had for years. Listen in to find out how to obtain a poster and to display it on a wall where it could truly make a difference in helping your analysts detect evil.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/o62pTPDQ4HA?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Cuckoo Sandbox 1.2 released
2015-03-04T00:00:00+01:00
http://blog.malwareresearch.institute/news/2015/03/04/cuckoo-sandbox-1-dot-2-released
<p>Today the Cuckoo Sandbox project announced the availability of version 1.2 of Cuckoo Sandbox, a dynamic malware analysis environment.</p>
<p>Several new features have been highlighted:</p>
<ul>
<li>Support for bare-metal and XenServer analysis </li>
<li>Behavior Search: You can now search in the behaviour result of the malware report. Good to search for specific API calls.</li>
<li>Network Streams View: You can now display the hex-dump of network streams.</li>
<li>Comparative Analysis: Compare two samples execution path graphically.</li>
</ul>
<p>You can read the full announcement over at <a href="http://cuckoosandbox.org/2015-03-04-cuckoo-sandbox-12.html">http://cuckoosandbox.org/2015-03-04-cuckoo-sandbox-12.html</a>.</p>
Theres Gold in them thar package management database
2015-03-03T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/03/theres-gold-in-them-thar-package-management-database
<p>There is a lot of useful file metadata stored in package management databases for popular Linux distributions. The RedHat Package Manager (RPM) and Debian’s dpkg are two examples. We’ll focus on how to leverage RPM in forensic investigations, as it can provide a quick and effective way to find changed files that warrant more in-depth analysis. We’ll also discuss potential shortfalls to consider in using this method.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/FzkwvXY-8pA?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Sick Anti Forensics Mechanisms in the Wild
2015-03-02T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/02/sick-anti-forensics-mechanisms-in-the-wild
<p>For those in the trenches of enterprise defense, it appears malware authors are deriving sick pleasure of late in mechanizing their end products with sophisticated self-defense and evasion capabilities. From “environmentally-aware” binaries to malware that defeats image acquisition, attackers are becoming increasingly more adept at evading analysis. During this presentation, several of these anti-forensics techniques will be explored, preparing attendees for what they are likely to encounter with increasing frequency - malware that fights back.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/adJ_QZxW7Ck?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Panic! Hysteria! No malware required!
2015-03-01T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/03/01/panic-hysteria-no-malware-required
<p>The landscape has shifted. Security is no longer something your organization can have complete control over. In this presentation John Strand will (quickly) demonstrate how most large corporations can be compromised in moments, even without phishing. We will then discuss how many attackers are moving away from exploits and malware. In light of this, how do we detect attacks? How do we react? Are there any products to help us? Is it time to panic? Yes, yes it is.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/byAnYAC1EUk?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
DFIR using SIFT Workstation: SANS DFIR Webcast
2015-02-28T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/28/dfir-using-sift-workstation-sans-dfir-webcast
<p>An international team of forensics experts helped create the SANS Investigative Forensic Toolkit (SIFT) Workstation and made it available to the whole community as a public service. The free SIFT toolkit, that can match any modern forensic tool suite, is also featured in SANS’ Advanced Computer Forensic Analysis and Incident Response course (FOR 508). It demonstrates that advanced investigations and responding to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated. The SANS Investigative Forensic Toolkit has become the most popular download on the SANS website. Over the past year, 20,000 individuals have downloaded the SIFT workstation and has become a staple in many organizations key tools to perform investigations.</p>
<p>Learn how to use the SIFT workstation during Incident response in an real case where APT-like adversaries have compromised an enterprise network. This session will demonstrate some of the key tools and capabilities of the suite. You will learn how to leverage this powerful tool in your incident response capability in your organizations.</p>
<div class="embed video YouTube"><iframe width="459" height="344" src="https://www.youtube.com/embed/w1ygCP2TeCY?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Virtualization Incident Response
2015-02-27T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/27/virtualization-incident-response
<p>Virtualization is a game changer, this session looks at the new world of virtualization and the impact on Incident Response & Computer Forensics. Details include answers to several important questions: Is forensics more difficult or perhaps actually easier in the virtual realm? What do I image if the Data Store has PI from 200 different companies on it that are not subjects to the investigation? Where are virtual machine files stored? What files are of forensic value? What about all of those snapshots? Just how do I image a virtual machine? Will my existing tools work?</p>
<div class="embed video YouTube"><iframe width="459" height="344" src="https://www.youtube.com/embed/OLAK2xk-4nY?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Where is all the malware being hosted, interactive version
2015-02-26T00:00:00+01:00
http://blog.malwareresearch.institute/statistics/2015/02/26/where-is-all-the-malware-being-hosted-interactive-version
<script type="text/javascript" src="https://www.google.com/jsapi"></script>
<script type="text/javascript">
google.load("visualization", "1", {packages:["geochart"]});
google.setOnLoadCallback(drawRegionsMap);
function drawRegionsMap() {
var data = google.visualization.arrayToDataTable([
['Country', 'Number of malware samples'],
["AU","1"],
["BG","1"],
["BR","4"],
["BY","2"],
["CA","2"],
["CL","2"],
["CN","166"],
["CO","3"],
["CY","1"],
["CZ","1"],
["DE","39"],
["ES","2"],
["EU","4"],
["FR","22"],
["GB","17"],
["HK","4"],
["ID","1"],
["IE","22"],
["IN","1"],
["IT","2"],
["KR","5"],
["LU","4"],
["LV","1"],
["NL","59"],
["NO","1"],
["NZ","1"],
["PA","1"],
["PL","2"],
["PT","2"],
["RO","8"],
["RU","12"],
["SG","1"],
["SI","1"],
["TH","3"],
["TR","5"],
["UA","191"],
["US","406"],
["VG","6"],
["VN","2"]
]);
var options = {};
var chart = new google.visualization.GeoChart(document.getElementById('regions_div'));
chart.draw(data, options);
}
</script>
<p>Here is an interactive worldmap over where malware samples are currenlty being served. </p>
<div id="regions_div" style="width: 900px; height: 500px;"></div>
Whats New in REMnux v4 for Malware Analysis? - SANS DFIR Webcast
2015-02-26T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/26/whats-new-in-remnux-v4-for-malware-analysis-sans-dfir-webcast
<p>REMnux is a lightweight Linux distribution for assisting malware analysts with reverse-engineering malicious software. Release 4 of this popular distro came out in April 2013. It incorporates several new tools useful for analyzing malware in this Ubuntu-based environment. Lenny Zeltser, who teaches the course FOR610: Reverse-Engineering Malware at SANS and maintains REMnux explains what’s new in this release of the toolkit. </p>
<p>Lenny covers topics such as:
• Installing the REMnux virtual appliance using the OVF/OVA file, designed for improved compatibility with many virtualization tools, including VMware and VirtualBox.
• Nuanced differences between the updated and older versions of tools installed on REMnux, including Volatility, Firebug and Origami.
• New utilities for dealing with XOR-based obfuscation commonly employed by malware authors.
• New tools for statically examining Windows PE files, such as pev, ExeScan and autorule other newly-added utilities for malware analysis, including hack-functions and ProcDot</p>
<div class="embed video YouTube"><iframe width="459" height="344" src="https://www.youtube.com/embed/4LzCr9qf5_Q?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Super Timeline Analysis - SANS DFIR WebCast
2015-02-25T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/25/super-timeline-analysis-sans-dfir-webcast
<p>Rob Lee will expand on the lab material he presented at HTCIA International Conference and Training Expo 2011 delivering an exciting and valuable webcast both for those who attended the labs as well as those who were unable to attend. HTCIA will kick off this exciting webcast with a recap of the HTCIA 2011 Conference and a preview of 2012.</p>
<p>Over the past year investigators have started to use timeline analysis to help solve challenging cases. Learn how to create and analyze automatic file system and artifact timelines during incident response and criminal investigations.</p>
<p>Utilizing advances in spear phishing, web application attacks, and persistent malware these new sophisticated attackers advance rapidly through your network. Forensic investigators must master a variety of operating systems, investigation techniques, and incident response tactics to solve challenging cases. Temporal data is located everywhere on a computer system. File system MAC times, log files, network data, registry data, internet history files and file metadata all contain time data that can be correlated into critical analysis to successfully solve cases. While utilized first by my team in AFOSI in 2001, timeline analysis has become a critical investigative technique to solve complex cases. Until recently, timeline analysis frameworks have not existed to easily allow multiple examinations of time based data into a single framework that is easily analyzed by investigators. Learn via this hands-on practical webcast that will permanently change your approach to forensic cases.</p>
<div class="embed video YouTube"><iframe width="459" height="344" src="https://www.youtube.com/embed/C4jNfXZ90fw?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Finding Unknown Malware
2015-02-24T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/24/finding-unknown-malware
<p>If you have ever been given the mission to “Find Evil” on a compromised system, you understand the enormity of that tasking. In this technical presentation, Alissa will introduce sound methodology for identifying malware, using strategies based on “Knowing Normal”, “Data Reduction” and “Least Frequency of Occurrence” in order to identify malicious binaries and common methods of persistence. The skills and tools presented here will aid in efficient identification of anomalous files in order to narrow further analysis and facilitate the creation of indicators of compromise.</p>
<p>Alissa Torres is a certified SANS instructor, specializing in advanced computer forensics and incident response. Her industry experience includes serving in the trenches as part of the Mandiant Computer Incident Response Team (MCIRT) as an incident handler and working on a internal security team as a digital forensic investigator. She has extensive experience in information security, spanning government, academic, and corporate environments and holds a Bachelors degree from University of Virginia and a Masters from University of Maryland in Information Technology. Alissa has taught as an instructor at the Defense Cyber Investigations Training Academy (DCITA), delivering incident response and network basics to security professionals entering the forensics community. She has presented at various industry conferences and numerous B-Sides events. In addition to being a GIAC Certified Forensic Analyst (GCFA), she holds the GCFE, GPEN, CISSP, EnCE, CFCE, MCT and CTT+.</p>
<p>Listen to Alissa discuss “Detecting Persistence Mechanisms” in this SANS webcast that every DFIR professional should listen to.</p>
<div class="embed video YouTube"><iframe width="459" height="344" src="https://www.youtube.com/embed/JKRTvCbgI2c?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Open Source Threat Intelligence - Developing a Threat intelligence program using open source tools and public sources
2015-02-23T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/23/open-source-threat-intelligence-developing-a-threat-intelligence-program-using-open-source-tools-and-public-sources
<p>Overview of building a threat intelligence program outlining the processes, tasks and activities associated with the development of a functional intelligence program. Developing an Open Source Threat Intelligence Program from Open Source Tools and Public Sources is aimed at bringing business value and technical mitigation efforts, while dispelling common myths like “We’re too small”, “Who would attack us, we make widgets?” and “We have nothing anyone would want”. Follow one geek’s journey developing a Threat Intelligence program on the Internet of (bad) things as he began a mission to slay FUD Dragons. Learn how to leverage public sources and open source tools to protect your organization. This high-level overview centers on building a Threat Intelligence program and includes topics ranging from the threat intelligence life-cycle to specific tasks, in addition to lessons learned and what to keep in mind when developing your own Threat Intelligence program.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/wl5cU8afcs4?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
No Budget Threat Intelligence - Tracking Malware Campaigns on the Cheap
2015-02-22T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/22/no-budget-threat-intelligence-tracking-malware-campaigns-on-the-cheap
<p>In this talk, I’ll be discussing my experience developing intelligence-gathering capabilities to track several different independent groups of threat actors on a very limited budget (read: virtually no budget whatsoever). I’ll discuss discovering the groups using open source intelligence gathering and honeypots, monitoring attacks, collecting and analyzing malware artifacts to figure out what their capabilities are, and reverse engineering their malware to develop the capability to track their targets in real time. Finally, I’ll chat about defensive strategies and provide recommendations for enterprise security analysts and other security researchers. I’ll also be releasing a suite of tools I created to help threat researchers perform tracking and attribution.</p>
<p>Andrew is someone who I first met at NovaHackers, and when I first met him I thought “This is someone to keep an eye on, he’s going to be doing some pretty awesome things”. Well Andrew, you have!
This talk had specific interest to me as one of my own projects is kinda about doing threat-Intel cheaply.</p>
<div class="embed video YouTube"><iframe width="459" height="344" src="https://www.youtube.com/embed/DKfWukYffsE?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Mirage - Next Gen Honeyports
2015-02-21T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/21/mirage-next-gen-honeyports
<p>Honeyports are a great way for a defender to not only see what the attackers are doing, but to quickly, and automatically, deploy countermeasures. Does your business cringe when you talk about auto shun on the firewall? Mirage takes honeyports to the next level, allowing enterprise wide response, attacker frustration, and most importantly… automated graduated response. Come watch this talk and add another tool to your defensive weapons locker!</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/r6h1EZN2xlg?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Malware Development as the Evolution of Parasites
2015-02-20T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/20/malware-development-as-the-evolution-of-parasites
<p>I will discuss how the evolution of parasites maps to the growth and development of malware. From the theoretical ground already explored in biology we can explain many of the trends in malware development and make predictions on how malware will evolve in the future.</p>
<p>Adam Hogan is a Security Engineer with the Advanced Threat Solutions team at Cisco, who acquired him from Sourcefire. Adam has been working with Snort and Intrusion Prevention Systems since 2012, and is just obsessive enough to still enjoy it. His latest research is in malware analysis over time and trying to use statistical models when ever possible to help justify what he spent on grad school. He enjoys slow cooked BBQ, fine Irish whiskey, and gummy worms.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/nhYR0F7seMs?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
APT Attacks Exposed: Network, Host, Memory, and Malware Analysis
2015-02-19T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/19/apt-attacks-exposed-network-host-memory-and-malware-analysis
<p>For many years, professionals have been asking to see real APT data in a way that shows them how the adversaries compromise and maintain presence on our networks. Now you can experience it first hand - using real data. The SANS Digital Forensics and Incident Response team will take you through an end-to-end investigation similar to briefs that are supplied to C-level executives who want to understand how their network was compromised and how these adversaries think, act, and move around their enterprise.</p>
<p>Starting with core steps in digital forensics, incident response, network forensics, memory analysis, and RE malware, instructors Rob Lee (FOR408 - Digital Forensics), Chad Tilbury (FOR508 - Incident Response), Alissa Torres (FOR526 - Windows Memory Forensics), Phil Hagen (FOR572 Network Forensics), and Lenny Zeltser (FOR610 - RE Malware) will walk through how key skills are used to solve a single intrusion for 20 minutes each. The tag team approach will detail how response teams can be leveraged in your environment to effectively respond to incidents in your enterprise.</p>
<p>This talk is perfect for those in the trenches or for those in management who really want to understand how a response team identifies and responds to these adversaries. What is it they are after? How did they get in? How did our systems fail to detect them? These questions and more will be answered in this one-of-a-kind keynote.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/r9Ctji9djxI?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
So Easy A High-Schooler Could Do It: Static malware analysis using function-level signatures
2015-02-18T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/18/so-easy-a-high-schooler-could-do-it-static-malware-analysis-using-function-level-signatures
<p>This presentation is a summary of an experimental malware detection method pioneered by three high-school interns at Dynetics. Their solution differs from traditional detection methods in that the malware signatures are unique to a function, not a file, and that the signature generation uses context-triggered piecewise hashing (fuzzy hashing) instead of traditional absolute hashing algorithms such as MD5. The team created software called Malfunction that implements these methods. Preliminary tests indicate that it is capable of identifying the author of a malware sample by comparing it to known malware from that author as well as identifying individual malware “features”.</p>
<p>Bio: James Brahm, Matthew Rogers, and Morgan Wagner are seniors at Grissom High School, where they are part of the nationally-ranked Cybersecurity Team. They are currently employed by Dynetics as malware researchers. They all plan to pursue careers in the defense industry, either in the armed forces or as civilian contractors.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/JyHwhSqX2oM?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
ClusterF*ck - Actionable Intelligence from Machine Learning
2015-02-17T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/17/clusterf-ck-actionable-intelligence-from-machine-learning
<p>Everybody is aware of the buzzword BINGO wining square of “Machine Learning”, but how can we apply this to a real problem? More importantly what output can we drive from doing some analysis! This talk will cover clustering (unlabeled data) of file types based off various static features. Then, using information from the clusters, is it possible to automatically generate Yara signatures to go hunting for files that are similar? We believe so, and we’ll show you how you can do this at home.</p>
<p>Bio: David has been in the security field for over 10 years now. He enjoys static file analysis and tearing apart shellcode. He’s starting to add various data analysis techniques to this toolbox when before he would only rely on hex editors, debuggers, and disassemblers. avatar for Mike Sconzo
Mike enjoys attempting to solve/solving interesting security problems with data analysis. He’s spent most of his career on the defensive side, and is constantly looking for new ways to detect suspicious and malicious behavior. His background is heavy in network analysis and most of the explored techniques revolve around use cases involved with network forensics. Mike also really dislikes talking about himself in the 3rd person.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/fN5TOB4ZPVI?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
PlagueScanner - An Open Source Multiple AV Scanner Framework
2015-02-16T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/16/plaguescanner-an-open-source-multiple-av-scanner-framework
<p>PlagueScanner is an open source framework for organizing any number of AV scanners into one contiguous tool chain. It leverages high speed message queuing along with JSON report output for easy integration into an automated malware analysis lab. An optional ElasticSearch output plugin lets you keep historical data for future searching and further analysis.</p>
<p>This project solves the problem of what to do with a sensitive malicious file that you wish to have multiple AV scanner results for, but you are wary about uploading the file to a public site, and you don’t want to pay the hefty price for a commercial scanner bank.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/UehRMI6XTXI?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Blackhat 2012 EUROPE - Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis
2015-02-15T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/15/blackhat-2012-europe-entrapment-tricking-malware-with-transparent-scalable-malware-analysis
<p>The detection of malware analysis environments has become popular and commoditized. Detection techniques previously reserved for more sophisticated forms of malware are now available to any novice cyber criminal. The use of next-generation virtualization-based malware analysis technologies considerably reduces the number of possible transparency shortcomings, but still fails to handle pathologically resistant malware instances that will only run on physical hardware.</p>
<p>Thus far, the execution of malware on physical (or baremetal) hardware has been useful for one or a handful of malware samples of interest. However, this activity was manually driven and time intensive (e.g., infect, study, format, reinstall). This presentation will resolve these long-outstanding shortcomings by describing the design and implementation of a scalable, automated baremetal malware analysis system, which can be constructed using inexpensive commodity hardware and freely available technologies. To motivate the approach’s need, previously unpublished detection attacks for popular environments used to automate malware analysis (i.e., VMWare, QEMU) will be shown.</p>
<div class="embed video YouTube"><iframe width="459" height="344" src="https://www.youtube.com/embed/yGiGo3LCxIw?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
<p>Other resources:</p>
<ul>
<li><a href="https://media.blackhat.com/bh-eu-12/Royal/bh-eu-12-Royal-Entrapment-WP.pdf">Whitepaper</a></li>
<li><a href="https://media.blackhat.com/bh-eu-12/Royal/bh-eu-12-Royal-Entrapment-Slides.pdf">Slides</a></li>
<li><a href="https://media.blackhat.com/bh-eu-12/Royal/bh-eu-12-Royal-nvmtrace-Code.zip">Code</a> </li>
</ul>
Blackhat 2010: Malware Attribution - Tracking Cyber Spies
2015-02-14T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/14/blackhat-2010-malware-attribution-tracking-cyber-spies
<p>Corporate, state, and federal networks are at great risk and a decade of security spending has not increased our security. Hundreds of thousands of malware samples are released daily that escape undetected by antivirus. Cyber-spies are able to take intellectual property like source code formulas and CAD diagrams at their whim. We are at a crisis point and we need to rethink how we address malware.</p>
<p>Malware is a human problem. We can clean malware from a host but the bad guy will be back again tomorrow. By tracing malware infections back to the human attacker we can understand what they are after, what to protect, and counter their technical capabilities. Every step in the development of malware has the potential to leave a forensic toolmark that can be used to trace developers, and ideally can lead to the operators of the malware. Social cyberspaces exist where malware developers converse with one another and their clients. A global economy of cyber spies and digital criminals support the development of malware and subsequent monetization of information. This talk focuses on how code artifacts and toolmarks can be used to trace those threat actors.</p>
<p>We will study GhostNet and Aurora, among others. Example toolmarks will include compiler and programming language fingerprints, native language artifacts (was it written for Chinese operators, etc), mutations or extensions to algorithms, command and control protocols, and more. We will discuss link analysis (using Palantir, etc) against open-source data such as internet forums and network scans. Ultimately this information will lead to a greater understanding of the malware operation as a whole, and feeds directly back into actionable defenses.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/k4Ry1trQhDk?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
VB2014 paper: Duping the machine - malware strategies, post sandbox detection
2015-02-13T00:00:00+01:00
http://blog.malwareresearch.institute/paper/2015/02/13/vb2014-paper-duping-the-machine-malware-strategies-post-sandbox-detection
<p>In his VB2014 paper, James Wyke explores the different strategies malicious samples employ when a sandbox has been detected. He looks at examples of decoy behaviour that range from dummy files being dropped to the use of fixed path names, bogus DNS and HTTP requests, and misleading configuration files being delivered. He analyses the consequences of failing to realize we are observing bogus behaviour from a sample, and explores ways in which we might prevent ourselves from falling victim to the same techniques again.</p>
<p>Copyright © 2015 Virus Bulletin</p>
<p><a href="https://www.virusbtn.com/virusbulletin/archive/2015/01/vb201501-duping">https://www.virusbtn.com/virusbulletin/archive/2015/01/vb201501-duping</a></p>
VB2014 paper: We know it before you do: predicting malicious domains
2015-02-12T00:00:00+01:00
http://blog.malwareresearch.institute/paper/2015/02/12/vb2014-paper-we-know-it-before-you-do-predicting-malicious-domains
<p>From distributing malware to hosting command and control servers and traffic distribution, malicious domains are essential to the success of nearly all popular attack vectors. Much effort has been put into building reputation-based malicious domain blacklists. However, in order to evade detection and blocking by the domain reputation systems, many malicious domains are now only used for a very short period of time - a malicious domain has already served most of its purpose by the time its content is detected and the domain is blocked. In their VB2014 paper, Wei Xu, Kyle Sanders and Yanxin Zhang propose a system for predicting the domains that are most likely to be used (or are about to be used) as malicious domains.</p>
<p>Copyright © 2015 Virus Bulletin</p>
<p><a href="https://www.virusbtn.com/virusbulletin/archive/2015/02/vb201502-predicting-malicious-domains">https://www.virusbtn.com/virusbulletin/archive/2015/02/vb201502-predicting-malicious-domains</a></p>
5 Ways To Monitor DNS Traffic For Security Threats
2015-02-12T00:00:00+01:00
http://blog.malwareresearch.institute/article/2015/02/12/5-ways-to-monitor-dns-traffic-for-security-threats
<p>The Security Skeptic has published a blog post about using different ways to monitor DNS traffic for security threats. Using already existing systems like Firewalls, Intrusion detection systems, Traffic analyzers, Passive DNS replication and by turning on logging at your resolver you can increase the visibility in your network.</p>
<p>Read the full article over at <a href="http://www.securityskeptic.com/2015/02/5-ways-to-monitor-dns-traffic-for-security-threats.html">http://www.securityskeptic.com/2015/02/5-ways-to-monitor-dns-traffic-for-security-threats.html</a>.</p>
Chronicles of a Malware Hunter
2015-02-11T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/11/chronicles-of-a-malware-hunter
<p>Tony Robinson discusses how the evolution of parasites maps to the growth and development of malware. From the theoretical ground already explored in biology we can explain many of the trends in malware development and make predictions on how malware will evolve in the future.</p>
<p>Adam Hogan is a Security Engineer with the Advanced Threat Solutions team at Cisco, who acquired him from Sourcefire. Adam has been working with Snort and Intrusion Prevention Systems since 2012, and is just obsessive enough to still enjoy it. His latest research is in malware analysis over time and trying to use statistical models when ever possible to help justify what he spent on grad school. He enjoys slow cooked BBQ, fine Irish whiskey, and gummy worms.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/_Spwz29P6Rs?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
All NXDOMAIN belongs to InetSim
2015-02-10T00:00:00+01:00
http://blog.malwareresearch.institute/code/2015/02/10/all-nxdomain-belongs-to-inetsim
<p>The following code snippet will act as a DNS-server and will forward any unknown hosts (NXDOMAIN) to InetSim (as pointed out in <strong>TO</strong> variable. The benifit of doing it this way instead of using the DNS functionality of InetSim is that hosts that are still available will still resolve successfuly.</p>
<div class="highlight"><pre><code class="language-python" data-lang="python"># twistd -y dns.py
from twisted.internet.protocol import Factory, Protocol
from twisted.internet import reactor
from twisted.names import dns
from twisted.names import client, server
TO = '192.168.1.87'
TTL = 60
class DNSServerFactory(server.DNSServerFactory):
def gotResolverError(self, failure, protocol, message, address):
ans = []
ans.append(dns.RRHeader(name=message.queries[0].name.name, ttl=TTL, auth=False))
ans[0].payload = dns.Record_A(TO,TTL)
auth = []
add = []
args = (self, (ans, auth, add), protocol, message, address)
return server.DNSServerFactory.gotResolverResponse(*args)
verbosity = 0
resolver = client.Resolver(servers=[('4.2.2.2', 53)])
factory = DNSServerFactory(clients=[resolver], verbose=verbosity)
protocol = dns.DNSDatagramProtocol(factory)
factory.noisy = protocol.noisy = verbosity
reactor.listenUDP(53, protocol)
reactor.listenTCP(53, factory)
reactor.run()</code></pre></div>
<p>Just change the “TO” variable to your InetSim host and all unresolved requests will be redirected there. The TTL variable is for the DNS-record TTL value (TTL = Time To Live). I am using Level 3’s DNS server (4.2.2.2) as upstream, feel free to change that if you want. </p>
Advanced Threats & Malware Attacks Rising - Ready for the impact of a breach?
2015-02-09T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/09/advanced-threats-malware-attacks-rising-ready-for-the-impact-of-a-breach
<p>2013 was the year of the Mega Breach…and unfortunately the trend continues. Attacks on global corporations were highly visible in 2014 – a direct result of the huge increase in complex breaches. It’s no longer enough to simply work on keeping the bad guys out. You need a response and remediation plan for when (not if) a breach occurs.</p>
<p>In this webinar Mike Smart From Symantec will be hosting a panel with Sian John and Laurence Pitt discussing ‘how to protect against cyber-attack from the inside’. You will also hear Symantec discuss how IT Security leaders can balance business innovation and protection in the modern IT world.</p>
<script type="text/javascript" src="https://www.brighttalk.com/clients/js/embed/embed.js"></script>
<object class="BrightTALKEmbed" width="705" height="660"><param name="player" value="channel_player" /><param name="domain" value="http://www.brighttalk.com" /><param name="channelid" value="5691" /><param name="communicationid" value="140069" /><param name="autoStart" value="false" /><param name="theme" value="" /></object>
The untold story about ATM Malware
2015-02-08T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/08/the-untold-story-about-atm-malware
<p>Everyone talks about ATM Malware, we can see videos in Internet hacking these machines but no one explains HOW an attacker can take control of an ATM and command it to dispense the money at will.
Is it possible to control an ATM from a cell phone? What about a Man-in-the-middle attack to intercept the traffic between the ATM and the bank?
Come to my talk and learn these and many other techniques used from Venezuela to Russia Hackers that are emptying ATMs without restrictions.</p>
<p>Bio: Daniel Regalado aka Danux is a Reverse engineer, Malware and Vulnerability researcher, he was responsible to dissect the latest dangerous ATM malware named Ploutus as well as many other different Advanced Persistent Threats. He is the lead author of Gray Hay Hacking book 4th Edition to be released by the end of 2014.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/JgNRvhsZiBg?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Forget Zero Day, Hello Zero Second!
2015-02-06T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/06/forget-zero-day-hello-zero-second
<p>What can malware do in 60 seconds? One minute can change everything for a business. So what happens when the speed of business is overtaken by the speed of malware?</p>
<p>The Check Point team devised a test to quantify that exact question. Watch this webcast to hear about the results of the Zero Second Test and how you can beat the speed of malware.</p>
<script type="text/javascript" src="https://www.brighttalk.com/clients/js/embed/embed.js"></script>
<object class="BrightTALKEmbed" width="705" height="660"><param name="player" value="channel_player" /><param name="domain" value="http://www.brighttalk.com" /><param name="channelid" value="5418" /><param name="communicationid" value="136387" /><param name="autoStart" value="false" /><param name="theme" value="" /></object>
Memory Forensics with Hyper V Virtual Machines
2015-02-05T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/05/memory-forensics-with-hyper-v-virtual-machines
<p>With the increased demand for Memory Forensics, and more people using Windows Hyper-V as a hypervisor it’s critical the DFIR community follows the proper triage process. Much like ESXi stores a .vmss file for each virtual machines memory Hyper-V stores them in a .bin and .vsv file, however currently it’s not as simple to preform memory analysis on these files. It’s possible with Hyper-V 2.0 files (Windows Server 2008R2) to convert the .bin and .vsv files into a crash dump using vm2dmp and then use the imagecopy plugin in Volatility to convert the crash dump into a raw dump that you can fully work with. However with Windows Server 2012 and newer the vm2dmp tool no longer works on the .bin and .vsv files. It’s still possible to use strings against these images however because of the compression Microsoft uses on these files the data doesn’t tell the entire story.</p>
<p>This presentation will cover everything from locating the .bin and .vsv files to converting and preforming memory analysis on Hyper-V Virtual Machines in a saved or snapshotted state from Windows Server 2008R2 – Windows Server 2012 R2 platforms. I will also briefly touch on how you can also use Microsoft Data Protection Manager to look at historical memory saved states to give the analyst an endless amount of data to work with. I will also discuss some of the current limitations I have discovered such as, any VM that has 4GB of RAM or more will cause the VM2DMP with an error like “ERROR: Failed to map guest block 4096 to any saved state block! ERROR: Element not found.” After we cover all the basics of analyzing the virtual machine layer, I’ll cover some basics of performing analysis on the hypervisor itself for signs of abnormal activity. I’ll also be show cases some new develop plugins for volatility for analyzing hyper-v systems.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/rH9bAPjw3w0?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
DEFCON 17 - Making Fun of Your Malware
2015-02-05T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/05/defcon-17-making-fun-of-your-malware
<p>Would you laugh if you saw a bank robber accidentally put his mask on backwards and fall into a man hole during the getaway, because he couldn’t tell where he was going? Criminals do ridiculous things so often, its impossible to capture them all on video. Rest assured, when the criminals are malware authors, we can still make fun of them through evidence found in pictures, binary disassemblies, packet captures, and log files. This talk evenly distributes technical knowledge and humor to present the funniest discoveries related to malware authors and the fight against their code.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/OeG4KBWB-EY?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
IR Event Log Analysis
2015-02-04T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/04/ir-event-log-analysis
<p>Windows event logs contain a bewildering variety of messages. But homing in on a few key events can quickly profile attacker activity.</p>
<p>From administrator logins, to scheduled tasks, to entries related to system services, and more– the event logs are a one-stop shop.</p>
<p>Learn to “crack the code” and enhance your investigations by adding event log analysis to your toolset.</p>
<p>Hal Pomeranz is an independent digital forensic investigator who has consulted on cases ranging from intellectual property theft, to employee sabotage, to organized cybercrime and malicious software infrastructures. He has worked with law enforcement agencies in the US and Europe and global corporations.</p>
<p>While equally at home in the Windows or Mac environment, Hal is recognized as an expert in the analysis of Linux and Unix systems. His research on EXT4 file system forensics provided a basis for the development of Open Source forensic support for this file system. His EXT3 file recovery tools are used by investigators worldwide.</p>
<p>Hal is a SANS Faculty Fellow and Lethal Forensicator, and is the creator of the SANS Linux/Unix Security track (GCUX). He holds the GCFA and GREM certifications and teaches the related courses in the SANS Forensics curriculum. He is a respected author and speaker at industry gatherings worldwide. Hal is a regular contributor to the SANS Computer Forensics blog and co-author of the Command Line Kung Fu blog.</p>
<p>The webcast can be accessed at <a href="https://www.sans.org/webcasts/ir-event-log-analysis-99592" title="IR Event Log Analysis Webcast">https://www.sans.org/webcasts/ir-event-log-analysis-99592</a> (registration required).</p>
Updated logo
2015-02-03T00:00:00+01:00
http://blog.malwareresearch.institute/news/2015/02/03/updated-logo
<p>I’ve replaced the standard BioHazard logo with a more “digital” version.</p>
<p><img src="/downloads/MalwareResearchInstitute-Logo-20150202.svg" alt="Malware Research Institute Logo" /></p>
Hacker Highschool Lesson 6 - Hacking Malware
2015-02-03T00:00:00+01:00
http://blog.malwareresearch.institute/pdf/2015/02/03/hacker-highschool-lesson-6-hacking-malware
<blockquote>
<p>It’s amazing how easily malware exploits systems. Dr. Fred Cohen wrote his PhD dissertation on the idea of a virus back in 1984. It was published in 1985. The university found the dissertation profound and initially ridiculous until Dr. Cohen demonstrated his idea. This was around the time of the Morris worm. As soon as the academics saw the potential of a virus, it scared the hell out of them.</p>
</blockquote>
<p><a href="/downloads/HHS_en6_Hacking_Malware.v2.pdf">get the PDF</a></p>
<p>Hacker Highschool (HHS) is an ever-growing collection of lessons written to the teen audience and covering specific subjects that are timely, interesting, and important for teens. The non-profit ISECOM researches and produces the Hacker Highschool Project as a series of lesson workbooks written and translated by the combined efforts of volunteers world wide. The result of this research are books based on how teens learn best and what they need to know to be better hackers, better students, and better people.</p>
Another Log to Analyze - Utilizing DNS to Identify Malware
2015-02-03T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/03/another-log-to-analyze-utilizing-dns-to-identify-malware
<p>DNS logs are an often overlooked asset in identifying malware in your network. The purpose of this talk to identify malware in the network through establishing DNS query and response baselines, analysis of NXDOMAIN responses, analysis of successful DNS lookups, and identifying domain name anomalies. This talk will give you the basics of what to look for in your own unique environment.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/aFlFj0YIbms?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Malware Analysis - Let the Computer Do the Work!
2015-02-02T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/02/malware-analysis-let-the-computer-do-the-work
<p>Malware analysts spend a lot of time analyzing code and looking for indicators of compromise from advanced persistent threats and even for the most seasoned analysts the volume of analysis can be prohibitive. In today’s environment malware analysts need to leverage automated tools to power through large volumes of sample code and quickly receive valuable threat summaries. </p>
<p>Letting the computers do the work allows the analyst to quickly identify files of greatest concern, and focus on remediating especially pernicious attacks. Malicious behavior can now be viewed right down to the kernel level, giving a complete picture of how your network was targeted by a specific cyber threat. </p>
<p>Join Thomas Quinlan as he explores integrating automated threat assessment processes and defining indicators that identify specific threats to your system.</p>
<script type="text/javascript" src="https://www.brighttalk.com/clients/js/embed/embed.js"></script>
<object class="BrightTALKEmbed" width="705" height="660"><param name="player" value="channel_player" /><param name="domain" value="http://www.brighttalk.com" /><param name="channelid" value="288" /><param name="communicationid" value="48053" /><param name="autoStart" value="false" /><param name="theme" value="" /></object>
Call For Papers - Security BSides San Francisco April 2015
2015-02-01T00:00:00+01:00
http://blog.malwareresearch.institute/cfp/2015/02/01/call-for-papers-security-bsides-san-francisco-april-2015
<p>We’re a small, non-profit volunteer organization so please help us by
spreading the word.</p>
<h1 id="scope">Scope</h1>
<p>The 2015 BSides SF aims at bringing together researchers in the field of
reliability, network security, privacy, cryptography and information
security, practitioners, developers, and users to foster cooperation,
exchange techniques, tools, experiences and ideas. The conference seeks
submissions from independent researchers, academia, government, industry
presenting novel research on all practical and theoretical aspects of the
aforementioned topics. The primary focus is on practical, high quality,
discussion of theoretical and practical impact, including concepts,
techniques, applications and practical experiences.</p>
<h1 id="topics">Topics</h1>
<p>All topic areas related to reliability, network security, privacy,
cryptography and information security are of interest and in scope.
Suggested topics include but are not restricted to:</p>
<ul>
<li>Anonymity and Privacy</li>
<li>Applied Cryptography and Implementations</li>
<li>Attacks, Persistence, Data Exfiltration</li>
<li>Authentication, Identification and Access Control</li>
<li><strong>Botnets and Malware</strong></li>
<li>Block and Stream Ciphers</li>
<li>Complexity-Theoretic Cryptography</li>
<li>Cloud Computing Security</li>
<li>Cryptanalysis</li>
<li>Cryptographic Hash Functions</li>
<li>Cryptographic and Security Protocols</li>
<li>Digital Signatures and Message Authentication Codes</li>
<li>Distributed Systems Security</li>
<li>Computer Espionage</li>
<li>Formal Security Methods</li>
<li>Game Hacking</li>
<li>Hardware Hacking</li>
<li>Internet Infrastructure</li>
<li>Internet of Things Security</li>
<li><strong>Incident Response</strong></li>
<li>Information-Theoretic Security</li>
<li>Lockpicking</li>
<li>Mobile Security</li>
<li>Network, Web and Wireless Security</li>
<li>Public-Key Encryption</li>
<li>Physical Cryptography</li>
<li>SDLC</li>
<li>Security Architectures and Models</li>
<li>Security Hardware</li>
<li>SIEM</li>
<li>Social Engineering</li>
<li>Software and Systems Security</li>
</ul>
<p>Submissions can be posted here:</p>
<p>https://docs.google.com/forms/d/1u08H7JsQbkvqRhMxrdBZvHan1Mzwqv7BS5m2_-uy7fo/viewform</p>
<p>Authors are invited to submit electronically, via GForm above, a
non-anonymous extended abstract. All submissions will be treated as
confidential, and will only be disclosed to the committee and their chosen
sub-referees. Referees are not required to read appendices; the paper
should be intelligible without them.</p>
<h1 id="presentation">Presentation</h1>
<p>Authors of accepted papers must guarantee that their paper will be
presented at the conference.</p>
<h1 id="dates-and-deadlines">Dates and Deadlines</h1>
<p>Submission: Noon EST, 1 Mar 2015</p>
<p>Notification to authors: 1 Apr 2015</p>
<p>Conference: 19-20 Apr 2015 (a Sunday and Monday just before RSA 2015)</p>
<h1 id="location">Location</h1>
<p>BSidesSF will be located at OpenDNS headquarters 135 Bluxome Street (SOMA)<br />
San Francisco, CA, USA</p>
Call for papers/presentations
2015-02-01T00:00:00+01:00
http://blog.malwareresearch.institute/news/2015/02/01/call-for-papers-presentations
<p>There are a lot of different security conferences around the world that asks for presentations on malware topics, and as a service to you we will announce them here as well.</p>
<p>If you have any research to present you know where to submit your papers. </p>
<p>If you come across any call for papers / presentations, please contact us at <a href="resources@malwareresearch.institute">resources@malwareresearch.institute</a> so we can announce it to all our readers.</p>
Anatomy of memory scraping, credit card stealing POS malware
2015-02-01T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/02/01/anatomy-of-memory-scraping-credit-card-stealing-pos-malware
<p>As much as we are trying to ignore it, IPv6 is here. And IPv6 has real problems. In my talk I’ll discuss some of these problems, and show a design for a botnet command and control system that will be extremely resistant to takedown.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/irB_Id8oZGA?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Malware Analysis 101 - N00b to Ninja in 60 Minutes
2015-01-31T00:00:00+01:00
http://blog.malwareresearch.institute/video/2015/01/31/malware-analysis-101-n00b-to-ninja-in-60-minutes
<p>Knowing how to perform basic malware analysis can go a long way in helping infosec analysts do some basic triage to either crush the mundane or recognize when its time to pass the more serious samples on to the big boys. This presentation covers several analysis environments and the three quick steps that allows almost anyone with a general technical background to go from n00b to ninja (;)) in no time. Well … maybe not a “ninja” per se but the closing does address follow-on resources on the cheap for those wanting to dive deeper into the dark world of malware analysis.</p>
<div class="embed video YouTube"><iframe width="480" height="270" src="https://www.youtube.com/embed/JShGkofeCHo?feature=oembed" frameborder="0" allowfullscreen=""></iframe></div>
Conference videos added
2015-01-30T00:00:00+01:00
http://blog.malwareresearch.institute/news/2015/01/30/conference-videos-added
<p>We have started to add videos about malware research from various security conferences to collect all the available resources to a single, easy to find and navigate, resource.</p>
<p>If you come across any paper, recorded presentation, slides, podcast or project worth mentioning please contact us at <a href="resources@malwareresearch.institute">resources@malwareresearch.institute</a>.</p>
Introducing Malware Research Institute
2015-01-29T00:00:00+01:00
http://blog.malwareresearch.institute/news/2015/01/29/introducing-malware-research-institute
<p>After last summer’s catastrophic hardware malfunction, where I lost my whole malware collection and a lot of computing resources, I have been working on a new workflows and infrastructure that is less dependent on what I can fit in my very limited server space and available physical hardware. That being said, the amount of hardware I now have and is planning to acquire is a lot more than previous.</p>
<p>To make this work I have now incorporated my hobby as a business and the goal is to make it a successful one, while keeping the original idea of providing the tools, techniques and methods for malware analysis available for anyone who wants to learn.</p>
<p>To mark this change I have created a new home for the malware research at <strong>Malware Research Institute</strong> where you can continue reading about malware research tools, techniques and methods. I hope that it will continue to be a valuable resource for you.</p>